1/* $NetBSD: tls.h,v 1.1 2008/10/31 16:12:19 christos Exp $ */ 2 3/*- 4 * Copyright (c) 2008 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Martin Sch�tte. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. All advertising materials mentioning features or use of this software 19 * must display the following acknowledgement: 20 * This product includes software developed by the NetBSD 21 * Foundation, Inc. and its contributors. 22 * 4. Neither the name of The NetBSD Foundation nor the names of its 23 * contributors may be used to endorse or promote products derived 24 * from this software without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 27 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 28 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 29 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 30 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 31 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 32 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 33 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 34 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 35 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 36 * POSSIBILITY OF SUCH DAMAGE. 37 */ 38/* 39 * tls.h 40 * 41 */ 42#ifndef _TLS_H 43#define _TLS_H 44#include <openssl/x509v3.h> 45#include <openssl/err.h> 46#include <openssl/rand.h> 47#include <openssl/pem.h> 48 49/* initial size for TLS inbuf, minimum prefix + linelength 50 * guaranteed to be accepted */ 51#define TLS_MIN_LINELENGTH (2048 + 5) 52/* usually the inbuf is enlarged as needed and then kept. 53 * if bigger than TLS_PERSIST_LINELENGTH, then shrink 54 * to TLS_LARGE_LINELENGTH immediately */ 55#define TLS_LARGE_LINELENGTH 8192 56#define TLS_PERSIST_LINELENGTH 32768 57 58/* timeout to call non-blocking TLS operations again */ 59#define TLS_RETRY_EVENT_USEC 20000 60 61/* reconnect to lost server after n sec (initial value) */ 62#define TLS_RECONNECT_SEC 10 63/* backoff connection attempts */ 64#define TLS_RECONNECT_BACKOFF_FACTOR 15/10 65#define TLS_RECONNECT_BACKOFF(x) (x) = (x) * TLS_RECONNECT_BACKOFF_FACTOR 66/* abandon connection attempts after n sec 67 * This has to be <= 5h (with 10sec initial interval), 68 * otherwise a daily SIGHUP from newsylog will reset 69 * all timers and the giveup time will never be reached 70 * 71 * set here: 2h, reached after ca. 7h of reconnecting 72 */ 73#define TLS_RECONNECT_GIVEUP 60*60*2 74 75/* default algorithm for certificate fingerprints */ 76#define DEFAULT_FINGERPRINT_ALG "sha-1" 77 78/* default X.509 files */ 79#define DEFAULT_X509_CERTFILE "/etc/openssl/default.crt" 80#define DEFAULT_X509_KEYFILE "/etc/openssl/default.key" 81 82/* options for peer certificate verification */ 83#define X509VERIFY_ALWAYS 0 84#define X509VERIFY_IFPRESENT 1 85#define X509VERIFY_NONE 2 86 87/* attributes for self-generated keys/certificates */ 88#define TLS_GENCERT_BITS 1024 89#define TLS_GENCERT_SERIAL 1 90#define TLS_GENCERT_DAYS 5*365 91 92/* TLS connection states */ 93#define ST_NONE 0 94#define ST_TLS_EST 1 95#define ST_TCP_EST 2 96#define ST_CONNECTING 3 97#define ST_ACCEPTING 4 98#define ST_READING 5 99#define ST_WRITING 6 100#define ST_EOF 7 101#define ST_CLOSING0 8 102#define ST_CLOSING1 9 103#define ST_CLOSING2 10 104 105/* backlog for listen */ 106#define TLSBACKLOG 4 107/* close TLS connection after multiple 'soft' errors */ 108#define TLS_MAXERRORCOUNT 4 109 110/* 111 * holds TLS related settings for one connection to be 112 * included in the SSL object and available in callbacks 113 * 114 * Many fields have a slightly different semantic for 115 * incoming and outgoing connections: 116 * - for outgoing connections it contains the values from syslog.conf and 117 * the server's cert is checked against these values by check_peer_cert() 118 * - for incoming connections it is not used for checking, instead 119 * dispatch_tls_accept() fills in the connected hostname/port and 120 * check_peer_cert() fills in subject and fingerprint from the peer cert 121 */ 122struct tls_conn_settings { 123 unsigned send_queue:1, /* currently sending buffer */ 124 errorcount:4, /* counter [0;TLS_MAXERRORCOUNT] */ 125 accepted:1, /* workaround cf. check_peer_cert*/ 126 shutdown:1, /* fast connection close on exit */ 127 x509verify:2, /* kind of validation needed */ 128 incoming:1, /* set if we are server */ 129 state:4; /* outgoing connection state */ 130 struct event *event; /* event for read/write activity */ 131 struct event *retryevent; /* event for retries */ 132 SSL *sslptr; /* active SSL object */ 133 char *hostname; /* hostname or IP we connect to */ 134 char *port; /* service name or port number */ 135 char *subject; /* configured hostname in cert */ 136 char *fingerprint; /* fingerprint of peer cert */ 137 char *certfile; /* filename of peer cert */ 138 unsigned reconnect; /* seconds between reconnects */ 139}; 140 141/* argument struct only used for tls_send() */ 142struct tls_send_msg { 143 struct filed *f; 144 struct buf_queue *qentry; 145 char *line; /* formatted message */ 146 size_t linelen; 147 size_t offset; /* in case of partial writes */ 148}; 149 150/* return values for TLS_examine_error() */ 151#define TLS_OK 0 /* no real problem, just ignore */ 152#define TLS_RETRY_READ 1 /* just retry, non-blocking operation not finished yet */ 153#define TLS_RETRY_WRITE 2 /* just retry, non-blocking operation not finished yet */ 154#define TLS_TEMP_ERROR 4 /* recoverable error condition, but try again */ 155#define TLS_PERM_ERROR 8 /* non-recoverable error condition, closed TLS and socket */ 156 157/* global TLS setup and utility */ 158char *init_global_TLS_CTX(void); 159struct socketEvent *socksetup_tls(const int, const char *, const char *); 160int check_peer_cert(int, X509_STORE_CTX *); 161int accept_cert(const char* , struct tls_conn_settings *, char *, char *); 162int deny_cert(struct tls_conn_settings *, char *, char *); 163bool read_certfile(X509 **, const char *); 164bool write_x509files(EVP_PKEY *, X509 *, const char *, const char *); 165bool mk_x509_cert(X509 **, EVP_PKEY **, int, int, int); 166bool x509_cert_add_subjectAltName(X509 *, X509V3_CTX *); 167int tls_examine_error(const char *, const SSL *, struct tls_conn_settings *, const int); 168 169bool get_fingerprint(const X509 *, char **, const char *); 170bool get_commonname(X509 *, char **); 171bool match_hostnames(X509 *, const char *, const char *); 172bool match_fingerprint(const X509 *, const char *); 173bool match_certfile(const X509 *, const char *); 174 175/* configuration & parsing */ 176bool parse_tls_destination(const char *, struct filed *, size_t); 177/* event callbacks */ 178void dispatch_socket_accept(int, short, void *); 179void dispatch_tls_accept(int, short, void *); 180void dispatch_tls_read(int, short, void *); 181void dispatch_tls_send(int, short, void *); 182void dispatch_tls_eof(int, short, void *); 183void dispatch_SSL_connect(int, short, void *); 184void dispatch_SSL_shutdown(int, short, void *); 185void dispatch_force_tls_reconnect(int, short, void *); 186 187bool tls_connect(struct tls_conn_settings *); 188void tls_reconnect(int, short, void *); 189bool tls_send(struct filed *, char *, size_t, struct buf_queue*); 190void tls_split_messages(struct TLS_Incoming_Conn *); 191 192void free_tls_conn(struct tls_conn_settings *); 193void free_tls_sslptr(struct tls_conn_settings *); 194void free_tls_send_msg(struct tls_send_msg *); 195 196#endif /* !_TLS_H */ 197